Routing
Highlighted
Routing

Firewall filter : filter "pfe" ?

[ Edited ]
‎10-27-2017 01:57 AM

Dear community, I need your help....

 

I don't understand what does mean "pfe" for the colum "filter" in the "show firewall log" output.

 

 

admin@QFX5K-VCF> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
10:24:44  pfe       D      ae1.0         UDP             172.16.255.203                   172.16.255.103
10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
10:24:44  pfe       D      ae1.0         UDP             172.16.255.203                   172.16.255.103

 

 

I don't understand the Juniper documentation (https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log...) saying :

 

Filter
    Displays the name of a configured firewall filter or service filter only if the packet hit the filter’s log action in a kernel filter (in the control plane). For any traffic that reaches the Routing Engine, the packets hit the log action in the kernel.

    For all other logged packets (packet hit the filter’s log action in the Packet Forwarding Engine), this field displays pfe instead of a configured filter name.

 

 

From my understanding, the firwall filter applied to a loopback only appy to trafic from/to the routing-engine.

 

In the output below don't understand why this traffic is dropped (UDP from 172.16.255.203 to 172.16.255.103). 172.16.255.103 is the switch (VCF QFX5100) where the output come from.

 

admin@QFX5K-VCF> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
10:34:54  pfe       D      ae1.0         UDP             172.16.255.203                   172.16.255.103
10:34:54  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
10:34:54  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103

 

 

 

admin@QFX5K-VCF> show firewall log detail
Time of Log: 2017-10-27 10:34:56 CEST, Filter: pfe, Filter action: discard, Name of interface: ae1.0 Name of protocol: UDP, Packet Length: 32768, Source address: 172.16.255.203:31213, Destination address: 172.16.255.103:4789 Time of Log: 2017-10-27 10:34:56 CEST, Filter: pfe, Filter action: discard, Name of interface: ae1.0 Name of protocol: UDP, Packet Length: 25088, Source address: 172.16.255.203:14805, Destination address: 172.16.255.103:4789

 

If we look at the firewall filter configuration, I have a term that "accept" VXLAN trafic : destination port 4789 with protocol UDP. The filter is applied to the input of the loopback interface

 

However, the counter associated to the VXLAN "accept" doesn't increment which I supposed that the VXLAN trafic is not handle by the RE, but pfe...

family inet {
    filter ACCESS-CONTROL {
        term ACCEPT-SSH {
            from {
                source-prefix-list {
                    SSH-LIST;
                }
                protocol tcp;
                destination-port ssh;
            }
            then {
                policer LIMIT-5M;
                count ACCEPT-SSH;
                accept;
            }
        }
        term ACCEPT-OSPF {
            from {
                source-prefix-list {
                    ROUTER-IPV4;
                }
                destination-prefix-list {
                    OSPF-ADDRESS;
                    ROUTER-IPV4;
                }
                protocol ospf;
            }
            then accept;
        }
        term ACCEPT-BFD-MH {
            from {
                source-prefix-list {
                    BGP-NEIGHBOR;
                }
                destination-prefix-list {
                    LOOPBACK;
                }
                protocol udp;
                destination-port [ 4784 3784 ];
            }
            then accept;
        }
        term ACCEPT-BGP {
            from {
                source-prefix-list {
                    BGP-NEIGHBOR;
                }
                protocol tcp;
            }
            then accept;
        }
        term ACCEPT-VXLAN {
            from {
                protocol udp;
                destination-port 4789;
            }
            then {
                count ACCEPT-VXLAN;
                accept;
            }
        }
        term DISCARD-VRRP {
            from {
                destination-prefix-list {
                    VRRP;
                }
                protocol [ vrrp ah ];
            }
            then {
                discard;
            }
        }
        term ACCEPT-SNMP {
            from {
                source-prefix-list {
                    SNMP-CLIENT-LISTS;
                    SNMP-COMMUNITY-CLIENTS;
                }
                destination-prefix-list {
                    LOCAL-MANAGEMENT;
                }
                protocol udp;
                destination-port snmp;
            }
            then {
                policer LIMIT-5M;
                count ACCEPT-SNMP;
                accept;
            }
        }
        term ACCEPT-NTP {
            from {
                source-prefix-list {
                    NTP-SERVER;
                    NTP-BOOT-SERVER;
                }
                destination-prefix-list {
                    LOCAL-MANAGEMENT;
                }
                protocol udp;
                destination-port ntp;
            }
            then {
                policer LIMIT-1M;
                count ACCEPT-NTP;
                accept;
            }
        }
        term ACCEPT-TRACEROUTE-UDP {
            from {
                protocol udp;
                ttl 1;
                destination-port 33435-33450;
            }
            then {
                policer LIMIT-1M;
                count ACCEPT-TRACEROUTE-UDP;
                accept;
            }
        }
        term ACCEPT-TRACEROUTE-ICMP {
            from {
                protocol icmp;
                ttl 1;
                icmp-type [ echo-request timestamp time-exceeded ];
            }
            then {
                policer LIMIT-1M;
                count ACCEPT-TRACEROUTE-ICMP;
                accept;
            }
        }
        term ACCEPT-RADIUS {
            from {
                source-prefix-list {
                    RADIUS-SERVERS;
                }
                destination-prefix-list {
                    LOCAL-MANAGEMENT;
                }
                protocol udp;
                source-port radius;
            }
            then {
                policer LIMIT-1M;
                count ACCEPT-RADIUS;
                accept;
            }
        }
        term ACCEPT-TACACS {
            from {
                source-prefix-list {
                    TACACS-SERVERS;
                }
                destination-prefix-list {
                    LOCAL-MANAGEMENT;
                }
                protocol [ tcp udp ];
                source-port [ tacacs tacacs-ds ];
                tcp-established;
            }
            then {
                policer LIMIT-1M;
                count ACCEPT-TACACS;
                accept;
            }
        }
        term ACCEPT-DNS {
            from {
                source-prefix-list {
                    DNS-SERVERS;
                }
                destination-prefix-list {
                    LOCAL-MANAGEMENT;
                }
                protocol [ udp tcp ];
                source-port 53;
            }
            then {
                policer LIMIT-1M;
                count ACCEPT-DNS;
                accept;
            }
        }
        term NO-ICMP-FRAGMENTS {
            from {
                is-fragment;
                protocol icmp;
            }
            then {
                count NO-ISCP-FRAG;
                discard;
            }
        }
        term ACCEPT-ICMP {
            from {
                protocol icmp;
                icmp-type [ echo-reply echo-request time-exceeded unreachable source-quench router-advertisement parameter-problem ];
            }
            then {
                policer LIMIT-5M;
                count ACCEPT-ICMP;
                accept;
            }
        }
        term ALL-MCAST-HOST {
            from {
                destination-prefix-list {
                    ALL-MCAST-HOSTS;
                }
            }
            then accept;
        }
        term DISCARD-TTL_1-UNKNOWN {
            from {
                ttl 1;
            }
            then {
                count DISCARD-ALL-TTL_1-UNKNOWN;
                log;
                discard;
            }
        }
        term DISCARD-TCP {
            from {
                protocol tcp;
            }
            then {
                count DISCARD-TCP;
                log;
                discard;
            }
        }
        term DISCARD-NETBIOS {
            from {
                protocol [ tcp udp ];
                destination-port [ 137 138 139 ];
            }
            then {
                count DISCARD-NETBIOS;
                discard;
            }
        }
        term DISCARD-HSRP {
            from {
                destination-prefix-list {
                    HSRP;
                    MCAST-ROUTERS;
                }
                protocol udp;
                destination-port 1985;
            }
            then {
                discard;
            }
        }
        term DISCARD-UDP {
            from {
                protocol udp;
            }
            then {
                count DISCARD-UDP;
                log;
                discard;
            }
        }
        term DISCARD-ICMP {
            from {
                protocol icmp;
            }
            then {
                count DISCARD-ICMP;
                log;
                discard;
            }
        }
        term DISCARD-IP-OPTIONS {
            from {
                ip-options any;
            }
            then {
                count DISCARD-IP-OPTIONS;
                log;
                discard;
            }
        }
        term DISCARD-UNKNOWN {
            then {
                count DISCARD-UNKNOWN;
                log;
                discard;
            }
        }
    }
}
policer LIMIT-1M {
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 256k;
    }
    then discard;
}
policer LIMIT-5M {
    if-exceeding {
        bandwidth-limit 5m;
        burst-size-limit 512k;
    }
    then discard;
}
policer LIMIT-10M {
    if-exceeding {
        bandwidth-limit 10m;
        burst-size-limit 1m;
    }
    then discard;
}

Ho can help me to uderstand this drop ?

 

Regards,

 

Salah

 

 

 

4 REPLIES 4
Highlighted
Routing

Re: Firewall filter : filter "pfe" ?

‎10-27-2017 02:24 AM

@Daboss wrote:

From my understanding, the firwall filter applied to a loopback only appy to trafic from/to the routing-engine.

Regards,

 

Salah

 

 


 

Hi , filter applied to lo0 interface also applied on PFE level.



===================================================
If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Routing

Re: Firewall filter : filter "pfe" ?

[ Edited ]
‎10-27-2017 02:51 AM

Thanks for your quick reply.

 

What doesn't it mean ? It affect traffic transit ? Or we may have traffic that is destinated to the router but that this not handle by the routing-engine but the pfe. example : VXLAN ?

 

Why my VXLAN packet are dropped if I have a term that allow this trafic ? How I can "accept" this packet destinated to the pfe ?

 

--

Salah

Highlighted
Routing

Re: Firewall filter : filter "pfe" ?

‎10-27-2017 06:27 PM

filter applied on lo0 never affect transit traffic , but it is also programmed to PFE and affect traffic that should be handled by RE or localy pfe. Some protocols offloaded to PFE (LACP, bfd and some other) also,  filter applied to PFE will affect these packets also.



===================================================
If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Routing

Re: Firewall filter : filter "pfe" ?

a month ago

Hi! I have the same question about Firewall Filter on interface lo0.

My configuration is:

MX480> show configuration firewall family inet filter ACCESS_CONTROL
set firewall family inet filter ACCESS_CONTROL term SNMP from source-prefix-list PERMIT_ADDRESS
set firewall family inet filter ACCESS_CONTROL term SNMP from protocol udp
set firewall family inet filter ACCESS_CONTROL term SNMP from destination-port snmp
set firewall family inet filter ACCESS_CONTROL term SNMP then accept
set firewall family inet filter ACCESS_CONTROL term OTHER then count DROP
set firewall family inet filter ACCESS_CONTROL term OTHER then log
set firewall family inet filter ACCESS_CONTROL term OTHER then discard
set interfaces lo0 unit 0 family inet filter input ACCESS_CONTROL

 

If I test this filter by doing a SNMPWALK from a source IP that does´t match in PERMIT_ADDRESS, and to a destination IP in a physical Interface (ge-2/0/0.0), 'DROP' counter doesn't count and it makes me think that this traffic isn't goign through firewall filter ACCESS_CONTROL for some reason that I can't explain.

 

Also, I have this message:

Sep 21 15:29:44 MX480> snmpd[6836]: SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 2.2.2.2 to 1.1.1.1 (COMMUNITY)

Where 2.2.2.2 is the source IP and 1.1.1.1 destination IP configured in ge-2/0/0.0. 

Do you have any suggestion?

 

Thanks

MM

 

Feedback